Augmented Marauder / Water Saci multi-pronged phishing campaign targeting Latin America and Europe
Campaign
Summary
Hide ▲
Show ▼
Water Saci is actively evolving a WhatsApp Web worm in Brazil that uses HTA and PDF lures to deliver a banking trojan. The latest wave shifts from PowerShell to a Python-based propagation script that spreads through trusted contacts on WhatsApp Web, helping the campaign bypass conventional controls and increase infection rates. Trend Micro says the chain may have been ported with help from an LLM/code-translation tool. The malware uses AutoIt, executed.dat, and command-and-control domains including manoelimoveiscaioba[.]com and serverseistemasatu[.]com to support persistence, reconnaissance, and remote control.
Related Happenings
WhatsApp VBScript attachment distribution campaign
Campaign
H score42
First: 23.06.2026 08:38
Last: 23.06.2026 08:38
Sources 1
About this happening:
The active **WhatsApp VBScript** campaign is spreading malicious attachments that can lead to **remote access** on victim systems. It targets **WhatsApp Desktop** and **WhatsApp W...
WhatsApp VBScript attachment distribution campaign
CampaignAbout this happening: The active **WhatsApp VBScript** campaign is spreading malicious attachments that can lead to **remote access** on victim systems. It targets **WhatsApp Desktop** and **WhatsApp W...
WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware Activity
H score20
First: 23.06.2026 08:38
Last: 23.06.2026 08:38
Sources 1
About this happening:
**VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...
WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware ActivityAbout this happening: **VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...
WhatsApp VBScript phishing campaign targeting users in multiple countries
Campaign
H score43
First: 23.06.2026 01:42
Last: 23.06.2026 01:42
Sources 1
About this happening:
An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...
WhatsApp VBScript phishing campaign targeting users in multiple countries
CampaignAbout this happening: An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...
NSO Group WhatsApp spear-phishing campaign
Campaign
H score37
First: 08.06.2026 20:08
Last: 08.06.2026 20:08
Sources 1
About this happening:
**NSO Group** remains tied to a **WhatsApp** spear-phishing **campaign** that used **malicious links** to push targets to external websites outside the app. On **June 8**, WhatsAp...
NSO Group WhatsApp spear-phishing campaign
CampaignAbout this happening: **NSO Group** remains tied to a **WhatsApp** spear-phishing **campaign** that used **malicious links** to push targets to external websites outside the app. On **June 8**, WhatsAp...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware Activity
H score20
First: 08.05.2026 21:12
Last: 08.05.2026 21:12
Sources 1
About this happening:
**TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware ActivityAbout this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
Timeline
-
01.04.2026 15:36 2 articles · 3mo ago
Augmented Marauder / Water Saci phishing campaign targets Latin America and Europe
Campaign Scope UpdateAugmented Marauder / Water Saci are running a multi-pronged phishing campaign against Spanish-speaking users in organizations across Latin America and Europe, using email, WhatsApp, and ClickFix paths to deliver Casbaneiro (Metamorfo) through Horabot and to harvest Outlook contacts for further phishing.
Show sources
- Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures — thehackernews.com — 01.04.2026 15:36
- Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures — thehackernews.com — 01.04.2026 15:36
-
01.04.2026 15:36 2 articles · 3mo ago
Phishing chain uses PDF lure, HTA/VBS payloads, and AutoIt loaders
Technical Analysis UpdateThe delivery chain starts with court summons-themed phishing emails that push a password-protected PDF, a malicious link, and an automatic ZIP download before executing HTA and VBS payloads; the VBS stage performs anti-analysis checks, retrieves AutoIt-based loaders, and launches encrypted payloads that load staticdata.dll for Casbaneiro and at.dll for Horabot, including a remote PHP API at hxxps://tt.grupobedfs[.]com/.../gera_pdf.php for dynamic PDF generation.
Show sources
- Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures — thehackernews.com — 01.04.2026 15:36
- Brazil Hit by Banking Trojan Spread via WhatsApp Worm and RelayNFC NFC Relay Fraud — thehackernews.com — 03.12.2025 17:32